π΄ Why Cyberattacks Are the No. 1 Risk π΄
π Read
via "Dark Reading: ".
The paradigm shift toward always-on IT requires business leaders to rethink their defense strategy.π Read
via "Dark Reading: ".
Darkreading
Why Cyberattacks Are the No. 1 Risk
The paradigm shift toward always-on IT requires business leaders to rethink their defense strategy.
π Police can't force you to unlock your phone by iris, face or finger π
π Read
via "Security on TechRepublic".
Police can't force you to unlock your phone by iris, face or fingerπ Read
via "Security on TechRepublic".
TechRepublic
Police can't force you to unlock your phone by iris, face or finger
ATENTIONβΌ New - CVE-2017-18358
π Read
via "National Vulnerability Database".
LimeSurvey before 2.72.4 has Stored XSS by using the Continue Later (aka Resume later) feature to enter an email address, which is mishandled in the admin panel.π Read
via "National Vulnerability Database".
ATENTIONβΌ New - CVE-2017-18357
π Read
via "National Vulnerability Database".
Shopware before 5.3.4 has a PHP Object Instantiation issue via the sort parameter to the loadPreviewAction() method of the Shopware_Controllers_Backend_ProductStream controller, with resultant XXE via instantiation of a SimpleXMLElement object.π Read
via "National Vulnerability Database".
ATENTIONβΌ New - CVE-2017-18356
π Read
via "National Vulnerability Database".
In the Automattic WooCommerce plugin before 3.2.4 for WordPress, an attack is possible after gaining access to the target site with a user account that has at least Shop manager privileges. The attacker then constructs a specifically crafted string that will turn into a PHP object injection involving the includes/shortcodes/class-wc-shortcode-products.php WC_Shortcode_Products::get_products() use of cached queries within shortcodes.π Read
via "National Vulnerability Database".
ATENTIONβΌ New - CVE-2016-10736 (social_pug)
π Read
via "National Vulnerability Database".
The "Social Pug - Easy Social Share Buttons" plugin before 1.2.6 for WordPress allows XSS via the wp-admin/admin.php?page=dpsp-toolkit dpsp_message_class parameter.π Read
via "National Vulnerability Database".
β ThreatList: $1.7M is the Average Cost of a Cyber-Attack β
π Read
via "Threatpost | The first stop for security news".
Brand damage, loss of productivity, falling stock prices and more contribute to significant business impacts in the wake of a breach.π Read
via "Threatpost | The first stop for security news".
Threat Post
ThreatList: $1.7M is the Average Cost of a Cyber-Attack
Brand damage, loss of productivity, falling stock prices and more contribute to significant business impacts in the wake of a breach.
π΄ 7 Privacy Mistakes To Keep Security Pros on Their Toes π΄
π Read
via "Dark Reading: ".
When it comes to privacy, it's the little things that can lead to big mishaps.π Read
via "Dark Reading: ".
Dark Reading
7 Privacy Mistakes To Keep Security Pros on Their Toes
When it comes to privacy, it's the little things that can lead to big mishaps.
β Judge: Law Enforcement Canβt Force Suspects to Unlock iPhones with FaceID β
π Read
via "Threatpost | The first stop for security news".
A ruling found that coercing suspects to open their phones using biometrics violates the fourth and fifth amendments.π Read
via "Threatpost | The first stop for security news".
Threat Post
Judge: Law Enforcement Canβt Force Suspects to Unlock iPhones with FaceID
A ruling found that coercing suspects to open their phones using biometrics violates the fourth and fifth amendments.
π΄ US Judge: Police Can't Force Biometric Authentication π΄
π Read
via "Dark Reading: ".
Law enforcement cannot order individuals to unlock devices using facial or fingerprint scans, a California judge says.π Read
via "Dark Reading: ".
Dark Reading
US Judge: Police Can't Force Biometric Authentication
Law enforcement cannot order individuals to unlock devices using facial or fingerprint scans, a California judge says.
π΄ 7 Privacy Mistakes To Keep Security Pros on Their Toes π΄
π Read
via "Dark Reading: ".
When it comes to privacy, it's the little things that can lead to big mishaps.π Read
via "Dark Reading: ".
Dark Reading
7 Privacy Mistakes That Keep Security Pros on Their Toes
When it comes to privacy, it's the little things that can lead to big mishaps.
π Smart building security flaws leave schools, hospitals at risk π
π Read
via "Security on TechRepublic".
Vendors of smart building hardware issued updates to products without disclosing that vulnerabilities were patched, leading security systems for schools and hospitals to be accessible via the web.π Read
via "Security on TechRepublic".
TechRepublic
Smart building security flaws leave schools, hospitals at risk
Vendors of smart building hardware issued updates to products without disclosing that vulnerabilities were patched, leading security systems for schools and hospitals to be accessible via the web.
π΄ Online Fraud: Now a Major Application Layer Security Problem π΄
π Read
via "Dark Reading: ".
The explosion of consumer-facing online services and applications is making it easier and cheaper for cybercriminals to host malicious content and launch attacks.π Read
via "Dark Reading: ".
Darkreading
Online Fraud: Now a Major Application Layer Security Problem
The explosion of consumer-facing online services and applications is making it easier and cheaper for cybercriminals to host malicious content and launch attacks.
π΄ SEC Issues Charges in 'Edgar' Database Hack π΄
π Read
via "Dark Reading: ".
One defendant is still facing charges issued in 2015 for a $30 million hacking and securities fraud scheme.π Read
via "Dark Reading: ".
Darkreading
SEC Issues Charges in 'Edgar' Database Hack
One defendant is still facing charges issued in 2015 for a $30 million hacking and securities fraud scheme.
β Data Breach Roundup: U.S. Healthcare, Cryptopia, SingHealth and Experian β
π Read
via "Threatpost | The first stop for security news".
January is off to a running start on the data breach front, while Experian is predicting new attack frontiers ahead.π Read
via "Threatpost | The first stop for security news".
Threat Post
Data Breach Roundup: U.S. Healthcare, Cryptopia, SingHealth and Experian
January is off to a running start on the data breach front, while Experian is predicting new attack frontiers ahead.
π΄ Report: Bots Add Volume to Account Takeover Attacks π΄
π Read
via "Dark Reading: ".
Bots that can launch hundreds of attacks per second are making account takeover fraud more difficult to defend against.π Read
via "Dark Reading: ".
Darkreading
Report: Bots Add Volume to Account Takeover Attacks
Bots that can launch hundreds of attacks per second are making account takeover fraud more difficult to defend against.
β IDenticard Zero-Days Allow Corporate Building Access, Location Recon β
π Read
via "Threatpost | The first stop for security news".
Multiple hardcoded passwords allow attackers to create badges to gain building entry, access video surveillance feeds, manipulate databases and more.π Read
via "Threatpost | The first stop for security news".
Threat Post
IDenticard Zero-Days Allow Corporate Building Access, Location Recon
Multiple hardcoded passwords allow attackers to create badges to gain building entry, access video surveillance feeds, manipulate databases and more.
<b>⌨ βStole $24 Million But Still Canβt Keep a Friendβ ⌨</b>
<code>Unsettling new claims have emerged about Nicholas Truglia, a 21-year-old Manhattan resident accused of hijacking cell phone accounts to steal tens of millions of dollars in cryptocurrencies from victims. The lurid details, made public in a civil lawsuit filed this week by one of his alleged victims, paints a chilling picture of a man addicted to thievery and all its trappings. The documents suggest that Truglia stole from his father and even a dead man β all the while lamenting that his fabulous new wealth brought him nothing but misery.</code><code>Media</code><code>The unflattering profile was laid out in a series of documents tied to a lawsuit lodged by Michael Terpin, a cryptocurrency investor who co-founded the first angel investor group for bitcoin enthusiasts in 2013. Terpin alleges that crooks stole almost $24 million worth of cryptocurrency after fraudulently executing a βSIM swapβ on his mobile phone account at AT&T in early 2018. Terpin also is pursuing a $200 million civil lawsuit against AT&T in connection with the theft.</code><code>Authorities arrested Truglia on November 14, 2018 on suspicion of using SIM swaps to steal approximately $1 million worth of cryptocurrencies from a different Silicon Valley executive. But Terpinβs civil lawsuit (PDF) maintains that evidence was revealed at Trugliaβs bail hearing that he had texted his father and multiple friends to brag about the $24 million hack on the day of Terpinβs theft, allegedly offering to take friends to the Super Bowl with βporn star escorts.β</code><code>Terpinβs lawsuit includes a large number of supporting documents, including an affidavit filed by Chris David, a 25-year-old New York City resident who claims to have been an acquaintance of Trugliaβs until he began to unravel the source of his new friendβs overnight riches.</code><code>In his affidavit (PDF), David describes himself as a self-employed private jet broker who met Truglia in a fitness center attached to Trugliaβs luxury apartment building. Truglia allegedly struck up a conversation about booking private jets with his cryptocurrency. When the two met again a few days later, David says Truglia showed him accounts on his mobile phone and computer indicating he had over $7 million in cash in a JP Morgan account and more than $12 million in various cryptocurrencies.</code><code>βAt the same time, Nick showed me two thumb drives (Trezors),β David recounted. βOne had over $40 million in cash value of various cryptos, and the other one had over $20 million cash value of various cryptos.β</code><code>David said Truglia initially explained his wealth by saying heβd made the money by mining cryptocurrencies, but that Truglia later would admit he stole the funds.</code><code>βOver the next few months, Nick and I socialized at nightclubs, local bars, the gym, and in his apartment playing video games,β David recounted. βGradually, I got to know Nick. He does not have a job or visible means of support. His typical day is to get up late, go to the gym, eat at the deli across the street, play video games late into the night and he had no friends. Nick was an egotistical braggart about his life and wealth. For example, once at a crowded lounge, he said: βChris, I have more money than all of the people here tonight.'β</code><code>David started documenting Trugliaβs activities after he and several of his friends were arrested for allegedly stealing Trugliaβs laptop, mobile phone and Trezor drive. That incident, recounted in this New York Post story and in Davidβs own testimony, indicates that Truglia later recanted the accusation and chalked it up to confusion resulting from a heavy night of drinking.</code><code>According to David, when Truglia wasnβt bragging about his wealth he was displaying it openly: He lived in a $6,000 per month apartment, wore a Rolex watch which he claimed cost $100,000, and boasted he was going to purchaseβ¦
<code>Unsettling new claims have emerged about Nicholas Truglia, a 21-year-old Manhattan resident accused of hijacking cell phone accounts to steal tens of millions of dollars in cryptocurrencies from victims. The lurid details, made public in a civil lawsuit filed this week by one of his alleged victims, paints a chilling picture of a man addicted to thievery and all its trappings. The documents suggest that Truglia stole from his father and even a dead man β all the while lamenting that his fabulous new wealth brought him nothing but misery.</code><code>Media</code><code>The unflattering profile was laid out in a series of documents tied to a lawsuit lodged by Michael Terpin, a cryptocurrency investor who co-founded the first angel investor group for bitcoin enthusiasts in 2013. Terpin alleges that crooks stole almost $24 million worth of cryptocurrency after fraudulently executing a βSIM swapβ on his mobile phone account at AT&T in early 2018. Terpin also is pursuing a $200 million civil lawsuit against AT&T in connection with the theft.</code><code>Authorities arrested Truglia on November 14, 2018 on suspicion of using SIM swaps to steal approximately $1 million worth of cryptocurrencies from a different Silicon Valley executive. But Terpinβs civil lawsuit (PDF) maintains that evidence was revealed at Trugliaβs bail hearing that he had texted his father and multiple friends to brag about the $24 million hack on the day of Terpinβs theft, allegedly offering to take friends to the Super Bowl with βporn star escorts.β</code><code>Terpinβs lawsuit includes a large number of supporting documents, including an affidavit filed by Chris David, a 25-year-old New York City resident who claims to have been an acquaintance of Trugliaβs until he began to unravel the source of his new friendβs overnight riches.</code><code>In his affidavit (PDF), David describes himself as a self-employed private jet broker who met Truglia in a fitness center attached to Trugliaβs luxury apartment building. Truglia allegedly struck up a conversation about booking private jets with his cryptocurrency. When the two met again a few days later, David says Truglia showed him accounts on his mobile phone and computer indicating he had over $7 million in cash in a JP Morgan account and more than $12 million in various cryptocurrencies.</code><code>βAt the same time, Nick showed me two thumb drives (Trezors),β David recounted. βOne had over $40 million in cash value of various cryptos, and the other one had over $20 million cash value of various cryptos.β</code><code>David said Truglia initially explained his wealth by saying heβd made the money by mining cryptocurrencies, but that Truglia later would admit he stole the funds.</code><code>βOver the next few months, Nick and I socialized at nightclubs, local bars, the gym, and in his apartment playing video games,β David recounted. βGradually, I got to know Nick. He does not have a job or visible means of support. His typical day is to get up late, go to the gym, eat at the deli across the street, play video games late into the night and he had no friends. Nick was an egotistical braggart about his life and wealth. For example, once at a crowded lounge, he said: βChris, I have more money than all of the people here tonight.'β</code><code>David started documenting Trugliaβs activities after he and several of his friends were arrested for allegedly stealing Trugliaβs laptop, mobile phone and Trezor drive. That incident, recounted in this New York Post story and in Davidβs own testimony, indicates that Truglia later recanted the accusation and chalked it up to confusion resulting from a heavy night of drinking.</code><code>According to David, when Truglia wasnβt bragging about his wealth he was displaying it openly: He lived in a $6,000 per month apartment, wore a Rolex watch which he claimed cost $100,000, and boasted he was going to purchaseβ¦
π΄ Hijacking a PLC Using its Own Network Features π΄
π Read
via "Dark Reading: ".
Researcher to show how attackers can exploit the built-in advanced connectivity functions in some Rockwell PLCs.π Read
via "Dark Reading: ".
Dark Reading
Hijacking a PLC Using its Own Network Features
Researcher to show how attackers can exploit the built-in advanced connectivity functions in some Rockwell PLCs.
ATENTIONβΌ New - CVE-2016-10738
π Read
via "National Vulnerability Database".
Zenbership v107 has CSRF via admin/cp-functions/event-add.php.π Read
via "National Vulnerability Database".
ATENTIONβΌ New - CVE-2016-10737
π Read
via "National Vulnerability Database".
Serendipity 2.0.4 has XSS via the serendipity_admin.php serendipity[body] parameter.π Read
via "National Vulnerability Database".